|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75712 php-fpm's import_environment_variables impl should not copy $_ENV, $_SERVER
Submitted: 2017-12-20 13:18 UTC Modified: 2018-02-11 05:20 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: adam at lavoaster dot co dot uk Assigned:
Status: Closed Package: FPM related
PHP Version: 7.1.12 OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
32 - 12 = ?
Subscribe to this entry?

 [2017-12-20 13:18 UTC] adam at lavoaster dot co dot uk
This came out of looking into an issue here -

If $_SERVER['argv'] exists anywhere in the code, it doesn't matter if it isn't called, just as long it's included, it will add 'argv' and 'argc' to the return of 'getenv()' when called without any parameters.

Just a note: If you have xdebug installed, this issue will not present itself.

Test script:


function notcalled()

Expected result:
It shouldn't return 'argv' or 'argc' in the return array, especially as 'argv' is an array which would break scripts that would directly use getenv(), like Symfony process did, straight into proc_open.

Actual result:
It returns 'argv' and 'argc' in the returning array.


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-12-20 13:34 UTC]
-Status: Open +Status: Feedback
 [2017-12-20 13:34 UTC]
I haven't been able to reproduce with the CLI or the embedded server.

Which SAPIs? (Apache module, FastCGI, etc.)
Does it happen if you reference $_SERVER at all and not just with ['argv'], as in

function notcalled() {
 [2017-12-20 13:55 UTC] adam at lavoaster dot co dot uk
-Status: Feedback +Status: Open
 [2017-12-20 13:55 UTC] adam at lavoaster dot co dot uk
Huh, yeah. If I just reference $_SERVER it will populate the return of getenv() with 'argv' and 'argc'.

I'm running an nginx / php-fpm (fpm-fcgi?) setup here.
 [2018-02-11 05:20 UTC]
-Summary: If $_SERVER['argv'] exists in code, calls to getenv() will return argv and argc +Summary: php-fpm's import_environment_variables impl should not copy $_ENV, $_SERVER -Package: *General Issues +Package: FPM related
 [2018-02-11 05:20 UTC]
So I did some more digging and this behavior is caused by php-fpm specifically: PHP core has an implementation to list environment variables as an array, and php-fpm is necessarily overriding it. What it does is copy $_ENV if defined, or else $_SERVER if defined, or else fall back to the original implementation plus some FastCGI values.

The ironic thing is that this started with request #69359 which wanted getenv to return an array because $_ENV is not always accessible and because it won't reflect changes made during runtime, but php-fpm's implementation (written years before when it was first introduced) does the opposite of that.

So you're getting argc/v because referencing $_SERVER instructs PHP to create that variable (see the auto_globals_jit setting) which naturally includes those two, and php-fpm is giving you a copy of that array.

I don't know why php-fpm wants to copy $_ENV/SERVER? Without knowing the reason for that, or exactly where else it gets used, I would think those two bits should be removed entirely...
 [2024-01-19 14:57 UTC]
The following pull request has been associated:

Patch Name: Fix bug #75712: getenv in php-fpm should not read $_ENV, $_SERVER
On GitHub:
 [2024-02-04 12:01 UTC]
Automatic comment on behalf of bukka
Log: Fix bug #75712: getenv in php-fpm should not read $_ENV, $_SERVER
 [2024-02-04 12:01 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue May 21 10:02:33 2024 UTC